Fwd: Linux as router (Gateway Server)

Fwd: Linux as router (Gateway Server)

[Navneet Choudhary]

hi list,

i require further co-operation from yours side.

Squid Server is serving as Proxy server, Gateway & Firewall

Problem:
Squid daemon dies at startup.

Here is log output of  /var/log/messages

Feb 12 09:15:25 squid squid[3652]: Squid Parent: child process 3654 started
Feb 12 09:15:25 squid (squid): Cannot open HTTP Port
Feb 12 09:15:29 squid squid[3720]: Squid Parent: child process 3722
exited due to signal 6
Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385 started
Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385
exited with status 1
Feb 12 09:15:33 squid (squid): Cannot open HTTP Port

Why my iptables rule blocking squid to open HTTP port.

Note: existing rule being attached at the end of mail

Since, process will not die if I disable/flush my rules?

Squid being started from /etc/rc.local

Where i am doing mistakes?

Please suggest since its causing startup hiccup

Thanks & regards,

Navneet Choudhary

Updates & quick recap

1.> Basically I want clients to be able to :

 a). Send and receives mails from mail.ISP.net [X.X.X.160] and
sometimes from X.X.X.78
Status: Working
b). Browse the net through squid [3128]
Status: Working

c). Use Jabber [??], MSN [1863] and Yahoo [5050]
Status: Working

d) Down and upload data using ftp from 202.134.192.21 & 221.171.85.41

Status: Working
e) Down and upload data using SONICMQ [IP & Port?]

Status: Require HELP
e) Allow SSH connection to this system [eth0].
Status: Working
f) We can ping/trace route by domain name i.e. ping yahoo.com
Status:  Working

2.What i am using?

My network configuration is as follows: -

          WAN
             |
          eth1
  (172.21.0.133/28)
             |
             |
      Red Hat 9
[Squid Proxy, Gateway ,firewall & FTP]
             |
             |
             |
    (133.147.0.0/16)
           eth0
              |
---- SWITCH----------
              |
              |
              |
          LAN

where:-
eth0-Intel Corp. 82557/8/9 [Ethernet Pro 100]
eth1-Broadcom Corporation NetXtreme BCM5702 Gigabit Ethernet

Kernel 2.4.20-8

iptables  v1.2.7a

3.What I have done:-

a)Enabled IP forwarding by adding
vi  /etc/sysctl.conf

 # Controls IP packet forwarding
net.ipv4.ip_forward = 1

b)Automatic loading of modules by adding
vi  /etc/rc.local

/sbin/insmod ip_nat_ftp
/sbin/insmod ip_conntrack_ftp

b)Firewall rules as follows:-
# Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
*mangle
:PREROUTING ACCEPT [1308:428675]
:INPUT ACCEPT [1308:428675]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [1273:553710]
:POSTROUTING ACCEPT [1273:553710]
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
FIN,PSH,URG -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
-A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
COMMIT
# Completed on Thu Feb 10 20:02:43 2005
# Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
*nat
:PREROUTING ACCEPT [10233:846887]
:POSTROUTING ACCEPT [71:4821]
:OUTPUT ACCEPT [67:4688]
-A POSTROUTING -s 133.147.0.0/255.255.0.0 -o eth1 -j SNAT --to-source
172.21.0.132
COMMIT
# Completed on Thu Feb 10 20:02:43 2005
# Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
*filter
:INPUT DROP [0:0]
:FORWARD DROP [0:0]
:OUTPUT DROP [0:0]
-A INPUT -s 127.0.0.1 -j ACCEPT
-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 3128
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 22
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 21
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 20
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A INPUT -p udp -j DROP
-A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 25
--tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 21 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 20 -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
1863 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
5050 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
-A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT
-A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 80
--tcp-flags SYN,RST,ACK SYN  -m owner --uid-owner squid -j ACCEPT
-A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 443
--tcp-flags SYN,RST,ACK SYN -m owner --uid-owner squid -j ACCEPT
-A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
COMMIT
# Completed on Thu Feb 10 20:02:43 2005

Re: Linux as router (Gateway Server)

[Askar]

dude add this rule to yur iptables script 
iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT


second "squid squid[3720]: Squid Parent: child process 3722
exited due to signal 6" is not iptables related, better place to check
is squid mailing list.
You are running squid in interception mode?
remember when squid is running in interception packets destined fro
squid machine not hit FORWARD chain but INPUT. :)

Note: which version of squid you are using, what cache.log say?
solution try to upgrade your squid with never version.

I hope this will help

regards

On Sat, 12 Feb 2005 13:18:25 +0530, Navneet Choudhary
<navneetkc@gmail.com> wrote:
> hi list,
> 
> i require further co-operation from yours side.
> 
> Squid Server is serving as Proxy server, Gateway & Firewall
> 
> Problem:
> Squid daemon dies at startup.
> 
> Here is log output of  /var/log/messages
> 
> Feb 12 09:15:25 squid squid[3652]: Squid Parent: child process 3654 started
> Feb 12 09:15:25 squid (squid): Cannot open HTTP Port
> Feb 12 09:15:29 squid squid[3720]: Squid Parent: child process 3722
> exited due to signal 6
> Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385 started
> Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385
> exited with status 1
> Feb 12 09:15:33 squid (squid): Cannot open HTTP Port
> 
> Why my iptables rule blocking squid to open HTTP port.
> 
> Note: existing rule being attached at the end of mail
> 
> Since, process will not die if I disable/flush my rules?
> 
> Squid being started from /etc/rc.local
> 
> Where i am doing mistakes?
> 
> Please suggest since its causing startup hiccup
> 
> Thanks & regards,
> 
> Navneet Choudhary
> 
> Updates & quick recap
> 
> 1.> Basically I want clients to be able to :
> 
>  a). Send and receives mails from mail.ISP.net [X.X.X.160] and
> sometimes from X.X.X.78
> Status: Working
> b). Browse the net through squid [3128]
> Status: Working
> 
> c). Use Jabber [??], MSN [1863] and Yahoo [5050]
> Status: Working
> 
> d) Down and upload data using ftp from 202.134.192.21 & 221.171.85.41
> 
> Status: Working
> e) Down and upload data using SONICMQ [IP & Port?]
> 
> Status: Require HELP
> e) Allow SSH connection to this system [eth0].
> Status: Working
> f) We can ping/trace route by domain name i.e. ping yahoo.com
> Status:  Working
> 
> 2.What i am using?
> 
> My network configuration is as follows: -
> 
>           WAN
>              |
>           eth1
>   (172.21.0.133/28)
>              |
>              |
>       Red Hat 9
> [Squid Proxy, Gateway ,firewall & FTP]
>              |
>              |
>              |
>     (133.147.0.0/16)
>            eth0
>               |
> ---- SWITCH----------
>               |
>               |
>               |
>           LAN
> 
> where:-
> eth0-Intel Corp. 82557/8/9 [Ethernet Pro 100]
> eth1-Broadcom Corporation NetXtreme BCM5702 Gigabit Ethernet
> 
> Kernel 2.4.20-8
> 
> iptables  v1.2.7a
> 
> 3.What I have done:-
> 
> a)Enabled IP forwarding by adding
> vi  /etc/sysctl.conf
> 
>  # Controls IP packet forwarding
> net.ipv4.ip_forward = 1
> 
> b)Automatic loading of modules by adding
> vi  /etc/rc.local
> 
> /sbin/insmod ip_nat_ftp
> /sbin/insmod ip_conntrack_ftp
> 
> b)Firewall rules as follows:-
> # Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
> *mangle
> :PREROUTING ACCEPT [1308:428675]
> :INPUT ACCEPT [1308:428675]
> :FORWARD ACCEPT [0:0]
> :OUTPUT ACCEPT [1273:553710]
> :POSTROUTING ACCEPT [1273:553710]
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> FIN,PSH,URG -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> COMMIT
> # Completed on Thu Feb 10 20:02:43 2005
> # Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
> *nat
> :PREROUTING ACCEPT [10233:846887]
> :POSTROUTING ACCEPT [71:4821]
> :OUTPUT ACCEPT [67:4688]
> -A POSTROUTING -s 133.147.0.0/255.255.0.0 -o eth1 -j SNAT --to-source
> 172.21.0.132
> COMMIT
> # Completed on Thu Feb 10 20:02:43 2005
> # Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
> *filter
> :INPUT DROP [0:0]
> :FORWARD DROP [0:0]
> :OUTPUT DROP [0:0]
> -A INPUT -s 127.0.0.1 -j ACCEPT
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 3128
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 22
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 21
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 20
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A INPUT -p udp -j DROP
> -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
> -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 25
> --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
> 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 21 -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 20 -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
> 1863 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
> 5050 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> -A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT
> -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
> -A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 80
> --tcp-flags SYN,RST,ACK SYN  -m owner --uid-owner squid -j ACCEPT
> -A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 443
> --tcp-flags SYN,RST,ACK SYN -m owner --uid-owner squid -j ACCEPT
> -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> COMMIT
> # Completed on Thu Feb 10 20:02:43 2005
> 
> 


-- 
I love deadlines. I like the whooshing sound they make as they fly by.
Douglas Adams

Re: Fwd: Linux as router (Gateway Server)

[Jason Opperisano]

On Sat, 2005-02-12 at 02:48, Navneet Choudhary wrote:
> hi list,
> 
> i require further co-operation from yours side.
> 
> Squid Server is serving as Proxy server, Gateway & Firewall
> 
> Problem:
> Squid daemon dies at startup.
> 
> Here is log output of  /var/log/messages
> 
> Feb 12 09:15:25 squid squid[3652]: Squid Parent: child process 3654 started
> Feb 12 09:15:25 squid (squid): Cannot open HTTP Port
> Feb 12 09:15:29 squid squid[3720]: Squid Parent: child process 3722
> exited due to signal 6
> Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385 started
> Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385
> exited with status 1
> Feb 12 09:15:33 squid (squid): Cannot open HTTP Port

that has nothing to do with iptables.  my guess is that you are either:

(a) telling squid to listen on a port that is already in use by another
process
(b) trying to start squid after it's already started
(c) running squid as an unprivileged user and trying to bind to a
privileged port

go read:

  http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.23

(ps - google is your friend)

> Why my iptables rule blocking squid to open HTTP port.

it isn't.

-j

--
"It's not easy to juggle a pregnant wife and a troubled child, but
 somehow I managed to fit in eight hours of TV a day."
	--The Simpsons

Re: Fwd: Linux as router (Gateway Server)

[Josh Nerius]

>> that has nothing to do with iptables. 

This could have everything to do with iptables, depending on his
configuration. If there is a redirector being used, the connection
that a child redirector process makes to the squid daemon can be
affected by iptables rules. The fact that it has difficulty binding to
the assigned port may be due to other errors related to this child
process communication causing the squid process to die before it
finishes starting.

As to trying to bind to a privileged port from an unprevileged
account, he already stated that he's binding to the standard 3128.

>> (ps - google is your friend)

It may do you good to keep that in mind. 

> > > Why my iptables rule blocking squid to open HTTP port.

I'm currently searching for the exact information from the squid
documentation, but when I had a similar problem about 6 months ago, I
recall adding rules to the INPUT and possibly OUTPUT chains to accept
traffic coming from the loopback interface to/from the squid (or
possibly redirector) port.

> it isn't.
> 
> -j

Jason, please do your homework. You have a good knowledge of
netfilter/iptables but please leave subjects you don't understand to
those who do.

Josh Nerius

-- 
Math problems? Call 1-800-[(10x)(13i)^2]-[sin(xy)/2.362x]

Re: Fwd: Linux as router (Gateway Server)

[Georgi Alexandrov]

Josh Nerius wrote:

>>>that has nothing to do with iptables. 
>>>      
>>>
>
>This could have everything to do with iptables, depending on his
>configuration. If there is a redirector being used, the connection
>that a child redirector process makes to the squid daemon can be
>affected by iptables rules. The fact that it has difficulty binding to
>the assigned port may be due to other errors related to this child
>process communication causing the squid process to die before it
>finishes starting.
>
>As to trying to bind to a privileged port from an unprevileged
>account, he already stated that he's binding to the standard 3128.
>
>  
>
>>>(ps - google is your friend)
>>>      
>>>
>
>It may do you good to keep that in mind. 
>
>  
>
>>>>Why my iptables rule blocking squid to open HTTP port.
>>>>        
>>>>
>
>I'm currently searching for the exact information from the squid
>documentation, but when I had a similar problem about 6 months ago, I
>recall adding rules to the INPUT and possibly OUTPUT chains to accept
>traffic coming from the loopback interface to/from the squid (or
>possibly redirector) port.
>
>  
>
>>it isn't.
>>
>>-j
>>    
>>
>
>Jason, please do your homework. You have a good knowledge of
>netfilter/iptables but please leave subjects you don't understand to
>those who do.
>
>Josh Nerius
>
>  
>
hello josh.

I stand 100% with Jason O.'s opinion ..
netfilter/iptables has nothing to do with squid binding to some/any port.
whoever had to do his homework ... i beleive has done it.
Accessing that port is something different (-i lo -j ACCEPT), but i 
beleive that's not the case.


regards,
Georgi Alexandrov

Re: Fwd: Linux as router (Gateway Server)

[Josh Nerius]

> hello josh.
> 
> I stand 100% with Jason O.'s opinion ..
> netfilter/iptables has nothing to do with squid binding to some/any port.
> whoever had to do his homework ... i beleive has done it.
> Accessing that port is something different (-i lo -j ACCEPT), but i
> beleive that's not the case.
> 
> regards,
> Georgi Alexandrov

Hello George,

From experience...not speculation, I still stand by what I said.

Squid can be a strange animal. In many configurations, the
communication between child processes relies on being able to
communicate via the loopback interface of the machine.  Iptables can,
and and in configurations I've worked with, has caused the same
symptoms described. Basically, the daemon never gets a chance to bind
to a port as the initial communication between these child processes
is broken causing the entire startup procedure to fail. This makes the
illusion that the problem is related to binding the port when in fact
the program can't start for other reasons.

This problem *can* be caused by firewall rules in place that prevent
this communication from happening. If you examine the rulesets posted,
it looks like he is using policy DROP on the INPUT chain which may
certainly cause problems with squid if proper rules to allow the
necessary traffic are not in place.

Another thing to note here, and the reason that I'm of the opinion
that this could be a netfilter/iptables problem is the fact that the
original poster seems to have indicated that squid works when iptables
is flushed.

The last point mentioned above, coupled with the fact that I've dealt
with this problem during the development of a transparent redirection
appliance for the company I work for, is why I maintain the opinion
that I do.

As mentioned before, Jason has a good knowledge of netfilter, but
apparently not Squid, thus my homework comment.

Thanks, and hopefully this information helps to clarify the
information I posted. :-)

Josh Nerius


-- 
Math problems? Call 1-800-[(10x)(13i)^2]-[sin(xy)/2.362x]

Re: Fwd: Linux as router (Gateway Server)

[Georgi Alexandrov]

Josh Nerius wrote:

>>hello josh.
>>
>>I stand 100% with Jason O.'s opinion ..
>>netfilter/iptables has nothing to do with squid binding to some/any port.
>>whoever had to do his homework ... i beleive has done it.
>>Accessing that port is something different (-i lo -j ACCEPT), but i
>>beleive that's not the case.
>>
>>regards,
>>Georgi Alexandrov
>>    
>>
>
>Hello George,
>
>>From experience...not speculation, I still stand by what I said.
>
>Squid can be a strange animal. In many configurations, the
>communication between child processes relies on being able to
>communicate via the loopback interface of the machine.  Iptables can,
>and and in configurations I've worked with, has caused the same
>symptoms described. Basically, the daemon never gets a chance to bind
>to a port as the initial communication between these child processes
>is broken causing the entire startup procedure to fail. This makes the
>illusion that the problem is related to binding the port when in fact
>the program can't start for other reasons.
>
>This problem *can* be caused by firewall rules in place that prevent
>this communication from happening. If you examine the rulesets posted,
>it looks like he is using policy DROP on the INPUT chain which may
>certainly cause problems with squid if proper rules to allow the
>necessary traffic are not in place.
>
>Another thing to note here, and the reason that I'm of the opinion
>that this could be a netfilter/iptables problem is the fact that the
>original poster seems to have indicated that squid works when iptables
>is flushed.
>
>The last point mentioned above, coupled with the fact that I've dealt
>with this problem during the development of a transparent redirection
>appliance for the company I work for, is why I maintain the opinion
>that I do.
>
>As mentioned before, Jason has a good knowledge of netfilter, but
>apparently not Squid, thus my homework comment.
>
>Thanks, and hopefully this information helps to clarify the
>information I posted. :-)
>
>Josh Nerius
>
>
>  
>
hola Josh,

I did a quick test:
DROP policy on the INPUT chain, and flushed all the rules (as a result i 
couldn't even ping myself)
squid: standart debian/unstable package - unprivilleged user, port 3128.
the result: squid is able to bind to his port fine, with DROP policy on 
the INPUT chain and no rules at all.

regards,
Georgi Alexandrov

Re: Linux as router (Gateway Server)

[Navneet Choudhary]

> dude add this rule to yur iptables script
> iptables -A INPUT -p tcp -s 0/0 --dport 80 -j ACCEPT

tried this, problem still exists.

> second "squid squid[3720]: Squid Parent: child process 3722
> exited due to signal 6" is not iptables related, better place to check
> is squid mailing list.

Didn't i mentioned in my original mail

"Since, process will NOT die if I disable/flush my rules?"

> You are running squid in interception mode?
so , what

> remember when squid is running in interception packets destined fro
> squid machine not hit FORWARD chain but INPUT. :)

Then, allowing INPUT to port 80 should have worked?
Since, i've already allowed local loopback in my rules.
 
> Note: which version of squid you are using, what cache.log say?
> solution try to upgrade your squid with never version.

squid-2.5.STABLE7  at the time installation latest one.
upgrade? anyperticular strong reason for that?
 
> I hope this will help
> 
> regards
> 
> On Sat, 12 Feb 2005 13:18:25 +0530, Navneet Choudhary
> <navneetkc@gmail.com> wrote:
> > hi list,
> >
> > i require further co-operation from yours side.
> >
> > Squid Server is serving as Proxy server, Gateway & Firewall
> >
> > Problem:
> > Squid daemon dies at startup.
> >
> > Here is log output of  /var/log/messages
> >
> > Feb 12 09:15:25 squid squid[3652]: Squid Parent: child process 3654 started
> > Feb 12 09:15:25 squid (squid): Cannot open HTTP Port
> > Feb 12 09:15:29 squid squid[3720]: Squid Parent: child process 3722
> > exited due to signal 6
> > Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385 started
> > Feb 12 09:15:32 squid squid[3720]: Squid Parent: child process 4385
> > exited with status 1
> > Feb 12 09:15:33 squid (squid): Cannot open HTTP Port
> >
> > Why my iptables rule blocking squid to open HTTP port.
> >
> > Note: existing rule being attached at the end of mail
> >
> > Since, process will not die if I disable/flush my rules?
> >
> > Squid being started from /etc/rc.local
> >
> > Where i am doing mistakes?
> >
> > Please suggest since its causing startup hiccup
> >
> > Thanks & regards,
> >
> > Navneet Choudhary
> >
> > Updates & quick recap
> >
> > 1.> Basically I want clients to be able to :
> >
> >  a). Send and receives mails from mail.ISP.net [X.X.X.160] and
> > sometimes from X.X.X.78
> > Status: Working
> > b). Browse the net through squid [3128]
> > Status: Working
> >
> > c). Use Jabber [??], MSN [1863] and Yahoo [5050]
> > Status: Working
> >
> > d) Down and upload data using ftp from 202.134.192.21 & 221.171.85.41
> >
> > Status: Working
> > e) Down and upload data using SONICMQ [IP & Port?]
> >
> > Status: Require HELP
> > e) Allow SSH connection to this system [eth0].
> > Status: Working
> > f) We can ping/trace route by domain name i.e. ping yahoo.com
> > Status:  Working
> >
> > 2.What i am using?
> >
> > My network configuration is as follows: -
> >
> >           WAN
> >              |
> >           eth1
> >   (172.21.0.133/28)
> >              |
> >              |
> >       Red Hat 9
> > [Squid Proxy, Gateway ,firewall & FTP]
> >              |
> >              |
> >              |
> >     (133.147.0.0/16)
> >            eth0
> >               |
> > ---- SWITCH----------
> >               |
> >               |
> >               |
> >           LAN
> >
> > where:-
> > eth0-Intel Corp. 82557/8/9 [Ethernet Pro 100]
> > eth1-Broadcom Corporation NetXtreme BCM5702 Gigabit Ethernet
> >
> > Kernel 2.4.20-8
> >
> > iptables  v1.2.7a
> >
> > 3.What I have done:-
> >
> > a)Enabled IP forwarding by adding
> > vi  /etc/sysctl.conf
> >
> >  # Controls IP packet forwarding
> > net.ipv4.ip_forward = 1
> >
> > b)Automatic loading of modules by adding
> > vi  /etc/rc.local
> >
> > /sbin/insmod ip_nat_ftp
> > /sbin/insmod ip_conntrack_ftp
> >
> > b)Firewall rules as follows:-
> > # Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
> > *mangle
> > :PREROUTING ACCEPT [1308:428675]
> > :INPUT ACCEPT [1308:428675]
> > :FORWARD ACCEPT [0:0]
> > :OUTPUT ACCEPT [1273:553710]
> > :POSTROUTING ACCEPT [1273:553710]
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> > FIN,PSH,URG -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> > FIN,PSH,URG -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> > FIN,PSH,URG -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG
> > FIN,PSH,URG -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN,RST,PSH,ACK,URG NONE -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags SYN,RST SYN,RST -j DROP
> > -A PREROUTING -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> > COMMIT
> > # Completed on Thu Feb 10 20:02:43 2005
> > # Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
> > *nat
> > :PREROUTING ACCEPT [10233:846887]
> > :POSTROUTING ACCEPT [71:4821]
> > :OUTPUT ACCEPT [67:4688]
> > -A POSTROUTING -s 133.147.0.0/255.255.0.0 -o eth1 -j SNAT --to-source
> > 172.21.0.132
> > COMMIT
> > # Completed on Thu Feb 10 20:02:43 2005
> > # Generated by iptables-save v1.2.7a on Thu Feb 10 20:02:43 2005
> > *filter
> > :INPUT DROP [0:0]
> > :FORWARD DROP [0:0]
> > :OUTPUT DROP [0:0]
> > -A INPUT -s 127.0.0.1 -j ACCEPT
> > -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 3128
> > --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 22
> > --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 21
> > --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A INPUT -i eth0 -p tcp -m tcp --sport 1024:65535 --dport 20
> > --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A INPUT -p udp -j DROP
> > -A INPUT -p tcp -m tcp --tcp-flags SYN,RST,ACK SYN -j DROP
> > -A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> > -A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT
> > -A FORWARD -i eth0 -o eth1 -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
> > -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 25
> > --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
> > 110 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 21 -j ACCEPT
> > -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 20 -j ACCEPT
> > -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
> > 1863 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A FORWARD -i eth0 -o eth1 -p tcp -m tcp --sport 1024:65535 --dport
> > 5050 --tcp-flags SYN,RST,ACK SYN -j ACCEPT
> > -A FORWARD -p icmp -m icmp --icmp-type 8 -j ACCEPT
> > -A OUTPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> > -A OUTPUT -p udp -m udp --sport 1024:65535 --dport 53 -j ACCEPT
> > -A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 80
> > --tcp-flags SYN,RST,ACK SYN  -m owner --uid-owner squid -j ACCEPT
> > -A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65535 --dport 443
> > --tcp-flags SYN,RST,ACK SYN -m owner --uid-owner squid -j ACCEPT
> > -A OUTPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT
> > COMMIT
> > # Completed on Thu Feb 10 20:02:43 2005
> >
> >
> 
> --
> I love deadlines. I like the whooshing sound they make as they fly by.
> Douglas Adams
>

Re: Fwd: Linux as router (Gateway Server)

[Navneet Choudhary]

> > Feb 12 09:15:33 squid (squid): Cannot open HTTP Port
> 
> that has nothing to do with iptables.  my guess is that you are either:
> 
> (a) telling squid to listen on a port that is already in use by another process

No, squid is listening on port 3128(not used by any process)

> (b) trying to start squid after it's already started

No, it's just started once.

> (c) running squid as an unprivileged user and trying to bind to a
> privileged port

No, it's being started by root.Afterward it's owned by squid

Is this stopping squid to access HTTP port?

Since,  OUTPUT rule only allow user squid to access port 80 [Wild guess]

-A OUTPUT -o eth1 -p tcp -m tcp --sport 1024:65535 \ --dport 80
--tcp-flags SYN,RST,ACK SYN -m owner  --uid-owner squid -j ACCEPT

> go read:
> 
>   http://www.squid-cache.org/Doc/FAQ/FAQ-11.html#ss11.23
> 
> (ps - google is your friend)

Always been our friend.

> > Why my iptables rule blocking squid to open HTTP port.
> 
> it isn't.

I think some way this problem is related to iptables rule
Since, squid daemon won't die if i start it with no fireawall rule
(allowing everything to pass, no blocking/restrictions)
> -j
 
By the way, all my iptables rules were lifted or inspired by yours
reply to this mailing list[posted this month itself].

Thank you for your help & co-operation

regards,
Navneet
> --
> "It's not easy to juggle a pregnant wife and a troubled child, but
>  somehow I managed to fit in eight hours of TV a day."
>         --The Simpsons
> 
>

Re: Fwd: Linux as router (Gateway Server)

[Navneet Choudhary]

On Sat, 12 Feb 2005 16:02:58 -0600, Josh Nerius <jnerius@gmail.com> wrote:
> >> that has nothing to do with iptables.
> 
> This could have everything to do with iptables, depending on his
> configuration. If there is a redirector being used, the connection
> that a child redirector process makes to the squid daemon can be

yes i am using SquidGuard

> affected by iptables rules. The fact that it has difficulty binding to
> the assigned port may be due to other errors related to this child
> process communication causing the squid process to die before it
> finishes starting.
> 
> As to trying to bind to a privileged port from an unprevileged
> account, he already stated that he's binding to the standard 3128.
> 
> >> (ps - google is your friend)
> 
> It may do you good to keep that in mind.
> 
> > > > Why my iptables rule blocking squid to open HTTP port.
> 
> I'm currently searching for the exact information from the squid
> documentation, but when I had a similar problem about 6 months ago, I
> recall adding rules to the INPUT and possibly OUTPUT chains to accept
> traffic coming from the loopback interface to/from the squid (or
> possibly redirector) port.

Allowing loopback[used]
 -A INPUT -s 127.0.0.1 -j ACCEPT
Any other rule ? possible for OUTPUT


> > it isn't.
> >
> > -j
> 
> Jason, please do your homework. You have a good knowledge of
> netfilter/iptables but please leave subjects you don't understand to
> those who do.
> 
> Josh Nerius
> 
> --
> Math problems? Call 1-800-[(10x)(13i)^2]-[sin(xy)/2.362x]
> 
>

Re: Fwd: Linux as router (Gateway Server)

[Navneet Choudhary]

> hello josh.
> 
> I stand 100% with Jason O.'s opinion ..
> netfilter/iptables has nothing to do with squid binding to some/any port.
> whoever had to do his homework ... i beleive has done it.
> Accessing that port is something different (-i lo -j ACCEPT), but i
> beleive that's not the case.

any pointer?

> regards,
> Georgi Alexandrov
> 
>

RE: Fwd: Linux as router (Gateway Server)

[Gary W. Smith]

Wouldn't it just easier to put a log statement before the drop so you
can see what iptables is dropping?  This might really simplify your
troubleshooting.

Besides Google, log files are your friends as well.  If your default
rule is to DROP everything but the log isn't catching anything then you
have another problem otherwise you'll know immediately which ports to
open.


Gary Smith

Re: Fwd: Linux as router (Gateway Server)

[Navneet Choudhary]

On Sat, 12 Feb 2005 20:33:52 -0600, Josh Nerius <jnerius@gmail.com> wrote:
> > hello josh.
> >
> > I stand 100% with Jason O.'s opinion ..
> > netfilter/iptables has nothing to do with squid binding to some/any port.
> > whoever had to do his homework ... i beleive has done it.
> > Accessing that port is something different (-i lo -j ACCEPT), but i
> > beleive that's not the case.
> >
> > regards,
> > Georgi Alexandrov
> 
> Hello George,
> 
> >From experience...not speculation, I still stand by what I said.
> 
> Squid can be a strange animal. In many configurations, the
> communication between child processes relies on being able to
> communicate via the loopback interface of the machine.  Iptables can,
> and and in configurations I've worked with, has caused the same
> symptoms described. Basically, the daemon never gets a chance to bind
> to a port as the initial communication between these child processes
> is broken causing the entire startup procedure to fail. This makes the
> illusion that the problem is related to binding the port when in fact
> the program can't start for other reasons.
> 
> This problem *can* be caused by firewall rules in place that prevent
> this communication from happening. If you examine the rulesets posted,
> it looks like he is using policy DROP on the INPUT chain which may
> certainly cause problems with squid if proper rules to allow the
> necessary traffic are not in place.

I will test by removing DROP rule on the INPUT chain.

> Another thing to note here, and the reason that I'm of the opinion
> that this could be a netfilter/iptables problem is the fact that the
> original poster seems to have indicated that squid works when iptables
> is flushed.
> 
> The last point mentioned above, coupled with the fact that I've dealt
> with this problem during the development of a transparent redirection
> appliance for the company I work for, is why I maintain the opinion
> that I do.
> 
> As mentioned before, Jason has a good knowledge of netfilter, but
> apparently not Squid, thus my homework comment.
> 
> Thanks, and hopefully this information helps to clarify the
> information I posted. :-)


Sorry, for being so late in replying.

 
> Josh Nerius

Re: Fwd: Linux as router (Gateway Server)

[Navneet Choudhary]

> hola Josh,

hello list,
 
> I did a quick test:
> DROP policy on the INPUT chain, and flushed all the rules (as a result i
> couldn't even ping myself)

please refer my rules before quick test[below line from my original
mail's rule set might help you to ping you ping your system ?

-A INPUT -p icmp -m icmp --icmp-type 8 -j ACCEPT

> squid: standart debian/unstable package - unprivilleged user, port 3128.
> the result: squid is able to bind to his port fine, with DROP policy on
> the INPUT chain and no rules at all.

reverting to you all shortly with my detail test. 

> regards,
> Georgi Alexandrov

Regards,
Navneet

|Anytime you feel i need to understand | 
|a concept before i am eligible to get    |
|an answer i would be happy to know.  |
^*******************************************^

Re: Fwd: Linux as router (Gateway Server)

[Josh Nerius]

> hola Josh,
> 
> I did a quick test:
> DROP policy on the INPUT chain, and flushed all the rules (as a result i
> couldn't even ping myself)
> squid: standart debian/unstable package - unprivilleged user, port 3128.
> the result: squid is able to bind to his port fine, with DROP policy on
> the INPUT chain and no rules at all.
> 
> regards,
> Georgi Alexandrov

George,

As Navneet pointed out, he using a redirector (squidguard). This is
exactly what I suspected, and exactly what I explained. The reasons
you had the results you did, is because your setup is *not*
duplicating that of Navneets or the situation I described.

I find it amusing, but irritating, that you seem to be trying to prove
what I have said wrong when you do not have an understanding of the
problem, or the information I provided.

------------------------------

Navneet,

I had the same issue you are experiencing while using SquidGuard some
time back. The resolution was playing with accepting traffic from and
to 127.0.0.1. I honestly don't remember the exact rules as it was some
time ago I dealt with this issue, but a minor amount of
experimentation should prove to solve the issue. I'm currently digging
through old configs etc and will let you know if/when I find the exact
rules I put in place to resolve the issue.

I hope everything works out for you.

-- 
Math problems? Call 1-800-[(10x)(13i)^2]-[sin(xy)/2.362x]

Re: Fwd: Linux as router (Gateway Server)

[Jason Opperisano]

On Sun, 2005-02-13 at 16:38, Josh Nerius wrote:
> Navneet,
> 
> I had the same issue you are experiencing while using SquidGuard some
> time back. The resolution was playing with accepting traffic from and
> to 127.0.0.1. I honestly don't remember the exact rules as it was some
> time ago I dealt with this issue, but a minor amount of
> experimentation should prove to solve the issue. I'm currently digging
> through old configs etc and will let you know if/when I find the exact
> rules I put in place to resolve the issue.
> 
> I hope everything works out for you.

didn't someone in this thread already point out that his rules don't
include:

  iptables -A INPUT -i lo -j ACCEPT
  iptables -A OUTPUT -o lo -j ACCEPT

-j

--
"Asleep at the switch?  I wasn't asleep, I was drunk!"
	--The Simpsons

Re: Fwd: Linux as router (Gateway Server)

[Josh Nerius]

> didn't someone in this thread already point out that his rules don't
> include:
> 
>   iptables -A INPUT -i lo -j ACCEPT
>   iptables -A OUTPUT -o lo -j ACCEPT
> 
> -j

Yes, I believe I said something to that effect in my original reply. 


-- 
Math problems? Call 1-800-[(10x)(13i)^2]-[sin(xy)/2.362x]